How to Implement Custom Claims?

[litewarp]

What is the difficulty, if any, in supporting custom claims? I'm sure you don't want to dump in all the claim data into the cookie, but could we either set a flag or pass in an array of keys when initializing to include the custom claims?

If we were to use a flag, you could include all the claims that result from the call to customClaims from the admin server-side?

// get customClaims from fb
const { customClaims } = await admin.auth().getUser(uid)

return customClaims

Or could we pass in an array of keys to include in the cookie?

// only include user-identified keys set in init
const claimsToInclude = [ "admin", "subscribed"]

const { customClaims } = await admin.auth().getUser(uid)

const includedClaims = claimsToInclude.map(key => customClaims[key] ?? '')

return includedClaims

Happy to help out! Really like your library, but need custom claims before I can rely on it instead of client-side-tokens atm.

Thanks in advance.

[kmjennison]

I agree, it sounds doable to support custom claims. I initially didn't include them because I was uncertain if the same claims data and data structure was available from both the Firebase admin SDK and web JS SDK. However, the docs suggest that shouldn't be a problem.

I'm actually not too concerned about the cookie size overhead, because Firebase already limits the size of claims, and managing claims data is up to each developer. More, I want to make sure:

1. It doesn't add requests or other overhead for people who don't use claims. For example, I wouldn't want the to call admin.auth().getUser every time.
2. The claims data on AuthUser is structured the same on the server and client.
3. It's backward-compatible / doesn't add a lot of complexity

It looks like this should be achievable just using the fields from verifyIdToken on the admin side.

Feel free to discuss approaches and/or open a PR. Thanks for opening this discussion!

[litewarp]

FYI, I just pushed some simple fixes to add custom claims without any additional network requests.